From b79f2b45be05fd4088a28085bb4f33aaff5dda28 Mon Sep 17 00:00:00 2001 From: Boden R Date: Thu, 11 May 2017 06:36:06 -0600 Subject: [PATCH] use is_port_trusted from neutron-lib neutron-lib 1.6.0 is out and among other things contains the rehomed is_port_trusted function. This patch switches usage of that function from neutron to neutron-lib. NeutronLibImpact Change-Id: I1c8a32d4806092daae99cd4860523c7d6335fc75 --- neutron/api/rpc/handlers/securitygroups_rpc.py | 4 ++-- neutron/common/utils.py | 9 --------- neutron/db/ipam_backend_mixin.py | 3 ++- neutron/db/portsecurity_db.py | 4 ++-- neutron/db/securitygroups_db.py | 6 +++--- .../plugins/ml2/drivers/linuxbridge/agent/arp_protect.py | 4 ++-- neutron/plugins/ml2/extensions/port_security.py | 4 ++-- 7 files changed, 13 insertions(+), 21 deletions(-) diff --git a/neutron/api/rpc/handlers/securitygroups_rpc.py b/neutron/api/rpc/handlers/securitygroups_rpc.py index 7bd54073dd2..e3a32f027d6 100644 --- a/neutron/api/rpc/handlers/securitygroups_rpc.py +++ b/neutron/api/rpc/handlers/securitygroups_rpc.py @@ -13,6 +13,7 @@ # under the License. from neutron_lib.plugins import directory +from neutron_lib.utils import net from oslo_log import log as logging import oslo_messaging @@ -20,7 +21,6 @@ from neutron._i18n import _LW from neutron.common import constants from neutron.common import rpc as n_rpc from neutron.common import topics -from neutron.common import utils LOG = logging.getLogger(__name__) @@ -80,7 +80,7 @@ class SecurityGroupServerRpcCallback(object): return dict( (port['id'], port) for port in self.plugin.get_ports_from_devices(context, devices) - if port and not utils.is_port_trusted(port) + if port and not net.is_port_trusted(port) ) def security_group_rules_for_devices(self, context, **kwargs): diff --git a/neutron/common/utils.py b/neutron/common/utils.py index 8f0925a178f..c8e3d86a279 100644 --- a/neutron/common/utils.py +++ b/neutron/common/utils.py @@ -277,15 +277,6 @@ def ip_version_from_int(ip_version_int): raise ValueError(_('Illegal IP version number')) -def is_port_trusted(port): - """Used to determine if port can be trusted not to attack network. - - Trust is currently based on the device_owner field starting with 'network:' - since we restrict who can use that in the default policy.json file. - """ - return port['device_owner'].startswith(n_const.DEVICE_OWNER_NETWORK_PREFIX) - - class DelayedStringRenderer(object): """Takes a callable and its args and calls when __str__ is called diff --git a/neutron/db/ipam_backend_mixin.py b/neutron/db/ipam_backend_mixin.py index 66883ab9640..1c55bd3dac0 100644 --- a/neutron/db/ipam_backend_mixin.py +++ b/neutron/db/ipam_backend_mixin.py @@ -22,6 +22,7 @@ from neutron_lib.api.definitions import portbindings from neutron_lib.api import validators from neutron_lib import constants as const from neutron_lib import exceptions as exc +from neutron_lib.utils import net from oslo_config import cfg from oslo_db import exception as db_exc from oslo_log import log as logging @@ -320,7 +321,7 @@ class IpamBackendMixin(db_base_plugin_common.DbBasePluginCommon): subnet_cidr=subnet_cidr) def _validate_max_ips_per_port(self, fixed_ip_list, device_owner): - if common_utils.is_port_trusted({'device_owner': device_owner}): + if net.is_port_trusted({'device_owner': device_owner}): return if len(fixed_ip_list) > cfg.CONF.max_fixed_ips_per_port: diff --git a/neutron/db/portsecurity_db.py b/neutron/db/portsecurity_db.py index 0129b8573e1..584bba12715 100644 --- a/neutron/db/portsecurity_db.py +++ b/neutron/db/portsecurity_db.py @@ -14,9 +14,9 @@ from neutron_lib.api import validators from neutron_lib.plugins import directory +from neutron_lib.utils import net from neutron.api.v2 import attributes as attrs -from neutron.common import utils from neutron.db import _resource_extend as resource_extend from neutron.db import portsecurity_db_common from neutron.extensions import portsecurity as psec @@ -43,7 +43,7 @@ class PortSecurityDbMixin(portsecurity_db_common.PortSecurityDbCommon): """ has_ip = self._ip_on_port(port) # we don't apply security groups for dhcp, router - if port.get('device_owner') and utils.is_port_trusted(port): + if port.get('device_owner') and net.is_port_trusted(port): return (False, has_ip) if validators.is_attr_set(port.get(psec.PORTSECURITY)): diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py index 05585278d4e..fabd201ba14 100644 --- a/neutron/db/securitygroups_db.py +++ b/neutron/db/securitygroups_db.py @@ -20,6 +20,7 @@ from neutron_lib.callbacks import registry from neutron_lib.callbacks import resources from neutron_lib import constants from neutron_lib.utils import helpers +from neutron_lib.utils import net from oslo_utils import uuidutils from sqlalchemy.orm import exc from sqlalchemy.orm import scoped_session @@ -27,7 +28,6 @@ from sqlalchemy.orm import scoped_session from neutron._i18n import _ from neutron.api.v2 import attributes from neutron.common import constants as n_const -from neutron.common import utils from neutron.db import _model_query as model_query from neutron.db import _resource_extend as resource_extend from neutron.db import _utils as db_utils @@ -730,7 +730,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): port = port['port'] if not validators.is_attr_set(port.get(ext_sg.SECURITYGROUPS)): return - if port.get('device_owner') and utils.is_port_trusted(port): + if port.get('device_owner') and net.is_port_trusted(port): return port_sg = port.get(ext_sg.SECURITYGROUPS, []) @@ -752,7 +752,7 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase): def _ensure_default_security_group_on_port(self, context, port): # we don't apply security groups for dhcp, router port = port['port'] - if port.get('device_owner') and utils.is_port_trusted(port): + if port.get('device_owner') and net.is_port_trusted(port): return default_sg = self._ensure_default_security_group(context, port['tenant_id']) diff --git a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py index ec05b127f67..a3a435cf347 100644 --- a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py +++ b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py @@ -14,12 +14,12 @@ # under the License. import netaddr +from neutron_lib.utils import net from oslo_concurrency import lockutils from oslo_log import log as logging from neutron._i18n import _LI from neutron.agent.linux import ip_lib -from neutron.common import utils LOG = logging.getLogger(__name__) SPOOF_CHAIN_PREFIX = 'neutronARP-' @@ -34,7 +34,7 @@ def setup_arp_spoofing_protection(vif, port_details): LOG.info(_LI("Skipping ARP spoofing rules for port '%s' because " "it has port security disabled"), vif) return - if utils.is_port_trusted(port_details): + if net.is_port_trusted(port_details): # clear any previous entries related to this port delete_arp_spoofing_protection([vif], current_rules) LOG.debug("Skipping ARP spoofing rules for network owned port " diff --git a/neutron/plugins/ml2/extensions/port_security.py b/neutron/plugins/ml2/extensions/port_security.py index 7634d6d1c0c..c6d03117319 100644 --- a/neutron/plugins/ml2/extensions/port_security.py +++ b/neutron/plugins/ml2/extensions/port_security.py @@ -14,10 +14,10 @@ # under the License. from neutron_lib.api import validators +from neutron_lib.utils import net from oslo_log import log as logging from neutron._i18n import _LI -from neutron.common import utils from neutron.db import common_db_mixin from neutron.db import portsecurity_db_common as ps_db_common from neutron.extensions import portsecurity as psec @@ -72,7 +72,7 @@ class PortSecurityExtensionDriver(api.ExtensionDriver, otherwise the value associated with the network is returned. """ # we don't apply security groups for dhcp, router - if port.get('device_owner') and utils.is_port_trusted(port): + if port.get('device_owner') and net.is_port_trusted(port): return False if validators.is_attr_set(port.get(psec.PORTSECURITY)):